Dragonfly, a group of attackers making headlines recently, has been conducting a malicious campaign targeting the energy sector and industrial control systems (ICS). While the attack vectors in use are common, the group's compromise of update sites for these industries sets them apart.

The various methods of infection employed by this group included:

PDF attachments via email

The use of the Hello exploit kit, an obfuscated variant of the Lightsout exploit kit

Compromise and bundling of malware with ICS and energy sector update sites (a technique known as waterholing)

Compromises of content management systems for call home activity

Websense® ThreatSeeker® Intelligence Cloud offered pro-active protection from this specific threat. Exploit content was identified based on specific traits which included use of JavaScript obfuscation, attempts to identify operating systems, and code execution attempts via an Internet Explorer vulnerability (CVE-2012-4792). Additionally, call home attempts were identified based on the reputation of hosts and the use of structures attributed to such activity.

While the complexity and approach of malicious actors change, the use of exploits targeting plug-ins such as Java continue to be a tried-and-trusted method, as we stated in our 2014 Predictions. Malware authors will continue to strike at the platforms widely adopted by businesses, as organizations struggle to balance business needs and security requirements.